U.S. Healthcare Companies Hardest Hit by 'Stegoloader' Malware

North American healthcare organizations appear to be getting hit the hardest by the Stegoloader Trojan making headlines recently.

According to Trend Micro, most of the infections during the past three months occurred in the United States (66.82 percent), Chile (9.1 percent), Malaysia (3.32 percent), Norway (2.09 percent) and France (1.71 percent).

The malware, which became active a few years ago, uses steganography techniques to hide its components in .PNG files. The technique has also been used by threats such as the Neverquest Trojan. In the case of Stegoloader, the PNG image and the decrypted code are not saved to the disk, and the malware’s main module exists in a memory area allocated specifically for this purpose.

"There have been recent successful breaches exposing millions of customer files of healthcare organizations like Anthem and Premera Blue Cross," blogged Homer Pacag, threat response engineer at Trend Micro. "Although yet to be seen in attacks, steganography can potentially be a new technique cybercriminals looking to perform healthcare attacks can use to expose medical records in the future."

According to Trend Micro, the technique of embedding malicious code in image files to evade detection will continue to gain popularity among attackers, and the reemergence of the Trojan and its focus on certain regions and industries shows cybercriminals are continually experimenting with different uses of steganography for spreading threats.

"When we first blogged about the malware in January 2014, the TROJ_GATAK.FCK variant was bundled with key generators for various applications and FAKEAV is its final payload," Pacag noted. "The final payload for the three recent samples of the malware, TROJ_GATAK.SMJV, TROJ_GATAK.SMN, and TROJ_GATAK.SMP are under analysis."

"Note that the routines from variants of past years remain the same," the researcher continued. "The malware is downloaded from the Internet by users who believe it to be key generators or keygens. Once downloaded, it poses as a legitimate file related to Skype or Google Talk. It eventually downloads the stock photo where a huge part of its routines is embedded. The following are samples of photos used by the malware to embed malicious components"

The malware also has anti-virtual machine and anti-emulation capabilities to thwart analysis.

"Past attacks using steganography have been noted to use interesting but seemingly harmful sunset and cat photos to target online bank accounts," Pacag blogged. "Although the technique of using photos quite old, its ability to help cybercriminals and threat actors evade detection remain a strong reason for its continuous use in the wild."